From psirt@cisco.com Fri Jul 20 09:00:05 2001
From: Cisco Systems Product Security Incident Response Team
To: bugtraq@securityfocus.com
Cc: psirt@cisco.com
Date: Fri, 20 Jul 2001 10:43:11 +0100 (BST)
Subject: Cisco Security Advisory: "Code Red" Worm Customer Impact
-----BEGIN PGP SIGNED MESSAGE-----
Cisco Security Advisory: "Code Red" Worm Customer Impact
Revision 1.0 For public release 2001 July 20 12:00 UTC
_________________________________________________________________
Summary
A malicious self replicating program known as the "Code Red" worm is
targeted at systems running the Microsoft Internet Information Server
(IIS). Several Cisco products are installed or provided on targeted
systems. Additionally, the behavior of the worm can cause problems for
other network devices.
The following Cisco products are vulnerable because they run affected
versions of Microsoft IIS:
* Cisco CallManager
* Cisco Unity Server
* Cisco uOne
* Cisco ICS7750
Other Cisco products may also be adversely affected by the "Code Red"
worm. Please see the Affected Products section for further details.
The worm and its effects may be remedied by applying the Microsoft
patch to affected servers,
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/
security/bulletin/MS01-033.asp.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml .
Affected Products
The following Cisco products are directly vulnerable because they run
affected versions of Microsoft IIS:
* Cisco CallManager
* Cisco Unity Server
* Cisco uOne
* Cisco ICS7750
* Cisco Building Broadband Service Manager
Other Cisco products may be indirectly affected by the IIS
vulnerability (this is not an exhaustive list):
* Cisco 600 series of DSL routers that have not been patched per the
Cisco Security Advisory,
http://www.cisco.com/warp/public/707/CBOS-multiple.shtml , will
stop forwarding traffic when scanned by a system infected by the
"Code Red" worm. The power must be cycled to restore normal
service.
* Cisco Network Management products are not directly affected but
might be installed on a Microsoft platform running a vulnerable
version of IIS.
Details
The "Code Red" worm exploits a known vulnerability in Microsoft IIS by
passing a specially crafted URI to the default HTTP service, port 80,
on a susceptible system. The URI consists of binary instructions which
cause the infected host to either begin scanning other random IP
addresses and pass the infection on to any other vulnerable systems it
finds, or launch a denial of service attack targeted at the IP address
198.137.240.91 which until very recently was assigned to
www.whitehouse.gov. In both cases the worm replaces the web server's
default web page with a defaced page at the time of initial infection.
The worm does not check for pre-existing infection, so that any given
system may be executing as many copies of the worm as have scanned it,
with a compounding effect on system and network demand.
As a side-effect, the URI used by the worm to infect other hosts
causes Cisco 600 series DSL routers to stop forwarding traffic by
triggering a previously-published vulnerability. Any 600 series
routers scanned by the "Code Red" worm will not resume normal service
until the power to the router has been cycled.
The nature of the "Code Red" worm's scan of random IP addresses and
the resulting sharp increase in network traffic can noticeably affect
Cisco Content Service Switches and Cisco routers running IOS,
depending on the device and its configuration. Unusually high CPU
utilization and memory starvation may occur.
Impact
The "Code Red" worm is causing widespread denial of service on the
Internet and is compromising large numbers of vulnerable systems. Once
infected, the management of a Cisco CallManager product is disabled or
severely limited until the defaced web page is removed and the
original management web page is restored.
Software Versions and Fixes
Microsoft has made a patch available for affected systems at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/
security/bulletin/MS01-033.asp .
Cisco is providing the same patch at
http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=c
isco/voice/callmgr/win-IIS-SecurityUpdate-2.exe&swtype=FCS&code=&size=
246296
with documentation at
http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=c
isco/voice/callmgr/win-IIS-SecurityUpdate-Readme-2.htm&swtype=FCS&code
=&size=4541
Cisco Building Broadband Service Manager is documented separately at
http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/bbsm50/ur
gent.htm .
Obtaining Fixed Software
Cisco is making available software patches and upgrades to remedy this
vulnerability for all affected Cisco customers.
For most Cisco customers, upgrades are available through the Software
Center on Cisco's Worldwide Web site at http://www.cisco.com/.
Customers without contracts can obtain the patch directly from
Microsoft or by contacting the Cisco Technical Assistance Center
(TAC). TAC contacts are as follows:
* (800) 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* E-mail: tac@cisco.com
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including instructions and
e-mail addresses for use in various languages.
Give the URL of this notice as evidence of your entitlement to a
free upgrade. Free upgrades for non-contract customers must be
requested through the TAC or directly from Microsoft. Please do not
contact either "psirt@cisco.com" or "security-alert@cisco.com" for
software upgrades.
Workarounds
We recommend following the instructions in the Microsoft security
bulletin for addressing the actual vulnerability.
Exploitation and Public Announcements
This issue is being exploited actively and has been discussed in
numerous public announcements and messages. References include:
* http://www.cert.org/advisories/CA-2001-19.html
* http://www.eeye.com/html/Research/Advisories/AD20010618.html
Status of This Notice: FINAL
This is a final notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all of the information has been
checked to the best of our ability. Should there be a significant
change in the facts, Cisco may update this notice.
Distribution
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
In addition to Worldwide Web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients:
* cust-security-announce@cisco.com
* bugtraq@securityfocus.com
* firewalls@lists.gnac.com
* first-teams@first.org (includes CERT/CC)
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* nanog@nanog.org
* incidents@securityfocus.com
* comp.dcom.sys.cisco
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on the Cisco
Security Advisories page at http://www.cisco.com/go/psirt/, but
may or may not be actively announced on mailing lists or newsgroups.
Users concerned about this problem are encouraged to check the URL
given above for any updates.
Revision History
Revision 1.0 2001-Jul-20 Initial public release
Cisco Product Security Incident Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml .
This includes instructions for press inquiries regarding Cisco
security notices.
_________________________________________________________________
This notice is Copyright 2001 by Cisco Systems, Inc. This notice may
be redistributed freely after the release date given at the top of the
text, provided that redistributed copies are complete and unmodified,
including all date and version information.
_________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQEVAwUBO1f3m2iN3BRdFxkbAQHFrQf9FkJJdW0EsGmOqKCjO+KACbE+G++pnY+X
AOQRWvyV+XZwLo4VWAcS47A6p2e/hOEcqOBSgYYX8L+dbsF/8geHURhCTQB628kQ
uvtc+A2q9rxIjLqrZcjda7rwZB9ISqXxRZbuTOomtKGx2n2CQ/4K67/j2QFYs+1P
Mf02XKv4IUF1N6adKh23aJ0DILoFmge4b26V7NtHEDJ70fJyqSzk1z+soHlyeZ+z
wGwUCMGfSlQr5uXhD5bJF8b5unYNiANy6lGS0uotjapNZN8JmbQeEjCX1Bf7bAlm
0l+LgwM7Q4Y0n7poXOw7Pw52r3bcL2XuxTY4BJSl97Fbt3daUxPiVw==
=7r1T
-----END PGP SIGNATURE-----